Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday February 19 2018, @05:54AM   Printer-friendly
from the mail-only-accepted-from-ourselves dept.

On his blog, Peter N. M. Hansteen sometimes writes about the problems with getting certain mail service providers to up their game. This time his post provides the details on how a particularly large service not only fails at SMTP sender verification but also at many other tasks necessary for professional mail hosting.

Whenever I encounter incredibly stupid and functionally destructive configuration errors like this I tend to believe they're down to simple incompetence and not malice.

But this one has me wondering. If you essentially require incoming mail to include the contents of spf.outlook.com (currently no less than 81 subnets) as valid senders for the domain, you are essentially saying that only outlook.com customers are allowed to communicate.

If that restriction is a result of a deliberate choice rather than a simple configuration error, the problem moves out of the technical sphere and could conceivably become a legal matter, depending on what outlook.com have specified in their contracts that they are selling to their customers.

One takeaway is that spam-fighting decisions from decades past have left us with technologies that have led to the centralization of mail on fewer and fewer providers. As such it is increasingly difficult for even skilled professionals to operate their own mail hosting smoothly.

Source : A Life Lesson in Mishandling SMTP Sender Verification


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by c0lo on Monday February 19 2018, @07:19AM (8 children)

    by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:19AM (#640008) Journal

    (sorry for the typo. Q: were you born at that time?)

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Apparition on Monday February 19 2018, @07:50AM (7 children)

    by Apparition (6835) on Monday February 19 2018, @07:50AM (#640017) Journal

    I was born in the late 1970s, so yes, although I was a wee lad at the time. Yes, I am aware that at the time SMTP was designed through the early 1990s, sending e-mails was expensive, but the ubiquity of the Internet in the '00s and '10s has broken SMTP completely. It needs to be replaced.

    • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @08:21AM

      by Anonymous Coward on Monday February 19 2018, @08:21AM (#640021)

      So far, the only alternative the "e-mail must be replaced" club has come up with is Facebook.

      Not exactly an improvement.

    • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @09:57AM

      by Anonymous Coward on Monday February 19 2018, @09:57AM (#640040)

      It needs to be replaced.

      If you propose a replacement that includes a blockchain, you might even get money for that.

    • (Score: 2) by sjames on Monday February 19 2018, @02:37PM (4 children)

      by sjames (2882) on Monday February 19 2018, @02:37PM (#640097) Journal

      So what's your proposal? Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it? How much will they charge you? Who will keep them honest?

      Now, why will that very special stamp of approval from whoever require a replacement to smtp rather than just another header?

      • (Score: 3, Informative) by c0lo on Monday February 19 2018, @02:50PM (3 children)

        by c0lo (156) Subscriber Badge on Monday February 19 2018, @02:50PM (#640102) Journal

        Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

        GPG with a public key I handed to you personally in a key signing party [archive.org]. Trusting anything else is delusion.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 1, Interesting) by Anonymous Coward on Monday February 19 2018, @03:17PM

          by Anonymous Coward on Monday February 19 2018, @03:17PM (#640110)

          I've always felt that blockchain would work fairly well to validate public keys in a distributed way.

          Sign up for service, generate keys/username, post username and keys, validators incorporate those into the blockchain.

          You send a message to a new person, query the chain, save the public key. Periodically compare the chain and personal key lists. Publicly post about discrepancies (could be automated even).

        • (Score: 2) by sjames on Monday February 19 2018, @03:19PM

          by sjames (2882) on Monday February 19 2018, @03:19PM (#640112) Journal

          That's a great way to make sure emails from my friends are really from my friends, but what about the zillion other people that might (or might not) have a legitimate reason to email me?

          And, of course, that works just fine over SMTP.

          But note, it's 20 years old and freely available but it hasn't solved the problem yet.

        • (Score: 0) by Anonymous Coward on Monday February 19 2018, @08:14PM

          by Anonymous Coward on Monday February 19 2018, @08:14PM (#640245)

          Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

          My schlong in your tight litttle...you picked my key out of a bowl at a key party [wikipedia.org] . Trusting anything else is way less fun!

          There. FTFY.